Cryptography and Security Final Exam

Similar documents
Cryptography and Security Midterm Exam

Cryptography and Security Final Exam

Cryptography and Security Final Exam

Cryptography and Security Final Exam

MATH 158 FINAL EXAM 20 DECEMBER 2016

Lecture 1: Introduction to Public key cryptography

Security Protocols and Application Final Exam

Chapter 8 Public-key Cryptography and Digital Signatures

Practice Assignment 2 Discussion 24/02/ /02/2018

Question: Total Points: Score:

Public-Key Cryptosystems CHAPTER 4

Lecture V : Public Key Cryptography

Discrete Logarithm Problem

Public Key Cryptography

Lecture 22: RSA Encryption. RSA Encryption

Mathematics of Cryptography

CPSC 467: Cryptography and Computer Security

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Cryptography and Security Midterm Exam

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

1 Number Theory Basics

Introduction to Modern Cryptography. Benny Chor

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

ASYMMETRIC ENCRYPTION

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Introduction to Cybersecurity Cryptography (Part 4)

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Information Security

Introduction to Cybersecurity Cryptography (Part 4)

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Fundamentals of Modern Cryptography

Asymmetric Encryption

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Notes for Lecture 17

ECS 189A Final Cryptography Spring 2011

Solution to Midterm Examination

Introduction to Elliptic Curve Cryptography. Anupam Datta

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Cryptography IV: Asymmetric Ciphers

CPSC 467b: Cryptography and Computer Security

Public-Key Encryption: ElGamal, RSA, Rabin

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Public-key Cryptography and elliptic curves

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Exam Security January 19, :30 11:30

Other Public-Key Cryptosystems

Exercise Sheet Cryptography 1, 2011

Other Public-Key Cryptosystems

Introduction to Cryptography. Lecture 8

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Introduction to Elliptic Curve Cryptography

Introduction to Modern Cryptography. Benny Chor

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

CS 355: Topics in Cryptography Spring Problem Set 5.

RSA. Ramki Thurimella

CPSC 467: Cryptography and Computer Security

CRYPTOGRAPHY AND NUMBER THEORY

RSA RSA public key cryptosystem

Lecture Notes, Week 6

Elliptic Curve Cryptography

Public Key Cryptography

Digital Signatures. Adam O Neill based on

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

The security of RSA (part 1) The security of RSA (part 1)

10 Public Key Cryptography : RSA

Chapter 4 Asymmetric Cryptography

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Asymmetric Cryptography

You submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.

10 Concrete candidates for public key crypto

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

One can use elliptic curves to factor integers, although probably not RSA moduli.

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Week : Public Key Cryptosystem and Digital Signatures

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Mathematical Foundations of Public-Key Cryptography

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

CPSC 467b: Cryptography and Computer Security

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Algorithmic Number Theory and Public-key Cryptography

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Outline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem

CIS 551 / TCOM 401 Computer and Network Security

5199/IOC5063 Theory of Cryptology, 2014 Fall

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Transcription:

Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not allowed the exam invigilators will not answer any technical question during the exam readability and style of writing will be part of the grade

1 Stealing Bitcoins We recall the ECDSA signature scheme. We are given a point G of an elliptic curve and its prime order n. A secret key is a value d Z n and the public key is the point Q = dg. To sign a message M, we pick a random k Z n and we compute r = (kg) 1 mod n, where (kg) 1 denotes the x-coordinate of kg and (kg) 1 denotes its conversion into an integer; we compute s = H(M)+dr k mod n, where H(M) is the digest of M; the signature of M is (r, s). To verify a signature (r, s) of a message M for Q, we just compare r with a function V of (G, n, Q, r, s, M). Q.1 Say what is the verification function V. 2

Q.2 Assuming that a signing algorithm is implemented using a terrible random number generator (namely, with one for which the generated number often repeats), show that given two signed messages (M, r, s) and (M, r, s ) for the public key Q, an adversary may extract the secret key d. 3

Q.3 We recall that a bitcoin transaction for an account Q is a signature of a will to collect the UTXO utxo 1,..., utxo t owned by Q and split them to some accounts Q 1,..., Q u. Assuming that a user has implemented his ECDSA signing algorithm using a terrible random number generator, show how we can steal his bitcoins. 4

2 Kleptography Alice wants to communicate securely with Bob. For that, she buys a highly secure tamperproof device from the company mole.com and uses it to communicate. Upon reset, this device generates its own RSA secret key with random primes p and q, modulus n, and exponents e and d. In this implementation, the exponent e is random and of the same size as the modulus. It outputs n and e. Then, when we input a ciphertext, it decrypts it and returns the plain message. Q.1 Suggest a modulus length for good security and describe the algorithm to generate e. Q.2 The company mole.com is hiding a trapdoor to be able to decrypt messages. For this, there is a symmetric secret key t which is put inside the device and the exponent e is chosen of form SymEnc t (p) random. Explain how mole.com can decrypt messages sent to Alice. Q.3 Some agencies from the axis of evil (in the sense of G.W. Bush) succeed to reverse engineer devices from mole.com. Show that this creates a major national security issue for the country in which these devices are sold. 5

Q.4 Using asymmetric encryption, propose a new generation of mole.com devices which allows the company to continue to decrypt messages without risking a security break in the case of reverse engineering. Q.5 In the above question, when the selected asymmetric encryption is RSA, observe that due to moduli sizes, this decreases the security of the encryption. Propose a way to fix this. 6

3 AES-GCM Issues We recall the GCM mode of AES. We modified it a bit for simplicity in this exercise: we assume no associated data, all messages have a length multiple of 128 bits, and the authentication tag has 128 bits. To encrypt a message P with an AES key K and a 96-bit nonce IV, we split it into m 128-bit blocks P = (P 1,..., P m ) and run the following algorithm (written in pseudocode). 1: J i = IV (i + 1 mod 2 32 ) 32, i = 0,..., m, where x 32 is the binary representation of x in 32 bits 2: C = (C 1,..., C m ) where C i = P i AES K (J i ) 3: H = AES K (0 128 ) (called the authentication key) 4: S = C 1 H m C m H (with multiplications in GF(2 128 )) 5: T = S AES K (J 0 ) 6: the output is (C, T ) Q.1 Give the description of decryption/authentication in pseudocode. Q.2 Assuming that a user encrypts a message with m larger than 2 32, show how an adversary can recover the XOR of some plaintext blocks from the ciphertext (C, T ). 7

Q.3 Assuming that a user encrypts two messages P and P with the same nonce IV, show how an adversary can recover a set of small cardinality which contains the authentication key H. (For simplicity, we assume that P and P have the same length.) Q.4 If the adversary knows a set of small cardinality to which H belongs, show how he can decrypt any ciphertext (C, T ) with a nonce IV by a chosen ciphertext attack. 8

4 Prime Reuse in RSA In this exercise, we consider a pool of D RSA keys with a modulus length of s bits. We recall that the probability of a uniformly distributed random number in {1,..., n} to be prime is approximately 1 ln n. Q.1 Say how to check if two different RSA moduli use a prime factor p in common and why it is a security problem. Q.2 Using truly random prime numbers, estimate the probability that there exist two RSA keys on the Internet which have a prime factor in common (or estimate the number of pairs with a common prime factor). Justify your answer precisely. 9

Q.3 By scanning public keys over the Internet, one can find about D = 11 170 883 keys of size s = 1 024. We observed that 16 717 RSA keys share a common prime factor. What can we deduce? 10

5 Subgroup Issues in the Diffie-Hellman Protocol Let g be an element of a (multiplicative) Abelian group G and let g denote the subgroup of G generated by g. Let q denote the order of g. Let n denote the order of G. We consider the Diffie-Hellman protocol in which Alice picks a secret x Z q, computes X = g x, sends X to Bob. Bob picks a secret y Z q, computes Y = g y, sends Y to Alice. Alice checks that Y g and computes K = Y x. Bob checks that X g and computes K = X y. Let B be a given bound. Given q = q s q l with q s = p α 1 1 pαr r where the p i are pairwise different small primes (i.e. p i B) and q l has no small factor except 1, we denote F B (q) = {(p 1, α 1 ),..., (p r, α r )}. We recall that we have efficient (i.e. polynomial in B+log q) partial factoring algorithms to compute F B. We also recall that if p is a small prime (i.e. p B) and g G is an element of order p α, then there is an efficient (i.e. polynomial in αb) algorithm to compute the discrete logarithm in g. More precisely, there is an algorithm L 0 such that L 0 (B, p, α, g, g x ) = x mod p α. Q.1 If g has order q and (p 1, α 1 ) F B (q), show that there is an efficient algorithm to compute x mod p α 1 1 from g x. More precisely, show that there is an algorithm L 1 such that L 1 (B, q, p 1, α 1, g, g x ) = x mod p α 1 1 for any x. Justify your answer. Q.2 If g has order q = q s q l with q s = p α 1 1 pαr r where F B (q) = {(p 1, α 1 ),..., (p r, α r )}, show that there is an efficient algorithm to compute the modulo q s part of the discrete logarithm in g. More precisely, show that there is an algorithm L such that L(B, q, g, g x ) = x mod q s for any x. Justify your answer. 11

Q.3 With the previous notation, show that if instead of picking x in Z q Alice picks x uniform in {1,..., q s 1} Z q, then a passive adversary can recover x. Q.4 We now assume that y is a static key (i.e. Bob runs many sessions of the protocol by using the same value y). We consider that after the Diffie-Hellman protocol, Bob sends the encryption of a known message m (e.g. the null message m = 0) with the key KDF(X y ). Encryption is done using a deterministic symmetric encryption. We write n = pqr where p is a small prime (i.e. p B). Show that if Bob does not verify that X g, an active adversary can recover y mod p by malciously selecting X. 12

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback